Hi, Thanks for letting me know.
Best, Mahir On Sun, Feb 14, 2021, 9:08 AM Mike Drob <md...@mdrob.com> wrote: > Future vulnerability reports should be sent to secur...@apache.org so > that they can be resolved privately. > > Thank you > > On Fri, Feb 12, 2021 at 10:17 AM Ishan Chattopadhyaya < > ichattopadhy...@gmail.com> wrote: > >> Recent versions of Solr use 2048. >> >> https://github.com/apache/lucene-solr/blob/branch_8_6/solr/core/src/java/org/apache/solr/util/CryptoKeys.java#L332 >> >> Thanks for your report. >> >> On Fri, Feb 12, 2021 at 3:44 PM Mahir Kabir <mdmahiras...@vt.edu> wrote: >> >> > Hello, >> > >> > I am a Ph.D. student at Virginia Tech, USA. While working on a security >> > project-related work, we came across the following vulnerability in the >> > source code - >> > >> > In file >> > >> > >> https://github.com/apache/lucene-solr/blob/branch_6_6/solr/core/src/java/org/apache/solr/util/CryptoKeys.java >> > < >> > >> https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java >> > > >> > (at >> > Line 300) Key Size was set as 1024. >> > >> > *Security Impact*: >> > >> > < 2048 key size for RSA algorithm makes the system vulnerable to >> > brute-force attack >> > >> > *Useful resource*: >> > https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-4426 >> > https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-4426 >> > >> > *Solution we suggest*: >> > >> > For RSA algorithm, the key size should be >= 2048 >> > >> > *Please share with us your opinions/comments if there is any*: >> > >> > Is the bug report helpful? >> > >> > Please let us know what you think about the issue. Any feedback will be >> > appreciated. >> > >> > Thank you, >> > Md Mahir Asef Kabir >> > Ph.D. Student >> > Department of CS >> > Virginia Tech >> > >> >
